Last-minute updates for release notes.

Security: CVE-2017-12172, CVE-2017-15098, CVE-2017-15099

6 files changed, 364 insertions, 3 deletions

diff --git a/doc/src/sgml/release-10.sgml b/doc/src/sgml/release-10.sgml
index 6c07157d294..30d602a053d 100644
--- a/doc/src/sgml/release-10.sgml
+++ b/doc/src/sgml/release-10.sgml
@@ -23,7 +23,7 @@
    </para>
 
    <para>
-    However, if you use BRIN indexes, see the first changelog entry below.
+    However, if you use BRIN indexes, see the fourth changelog entry below.
    </para>
   </sect2>
 
@@ -34,6 +34,92 @@
 
     <listitem>
 <!--
+Author: Dean Rasheed <dean.a.rasheed@gmail.com>
+Branch: master [87b2ebd35] 2017-11-06 09:19:22 +0000
+Branch: REL_10_STABLE [3f8089572] 2017-11-06 09:17:44 +0000
+Branch: REL9_6_STABLE [1f23d1cd2] 2017-11-06 09:16:24 +0000
+Branch: REL9_5_STABLE [045a18888] 2017-11-06 09:15:11 +0000
+-->
+     <para>
+      Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+      table permissions and RLS policies in all cases (Dean Rasheed)
+     </para>
+
+     <para>
+      The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+      requires <literal>SELECT</literal> permission on the columns of the
+      arbiter index, but it failed to check for that in the case of an
+      arbiter specified by constraint name.
+      In addition, for a table with row level security enabled, it failed to
+      check updated rows against the table's <literal>SELECT</literal>
+      policies (regardless of how the arbiter index was specified).
+      (CVE-2017-15099)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Tom Lane <tgl@sss.pgh.pa.us>
+Branch: master [b57422871] 2017-11-06 10:29:37 -0500
+Branch: REL_10_STABLE [c30f082d2] 2017-11-06 10:29:38 -0500
+Branch: REL9_6_STABLE [38e825632] 2017-11-06 10:29:39 -0500
+Branch: REL9_5_STABLE [d5fe5fb23] 2017-11-06 10:29:40 -0500
+Branch: REL9_4_STABLE [70846ee05] 2017-11-06 10:29:41 -0500
+Branch: REL9_3_STABLE [c0c8807de] 2017-11-06 10:29:42 -0500
+-->
+     <para>
+      Fix crash due to rowtype mismatch
+      in <function>json{b}_populate_recordset()</function>
+      (Michael Paquier, Tom Lane)
+     </para>
+
+     <para>
+      These functions used the result rowtype specified in the <literal>FROM
+      ... AS</literal> clause without checking that it matched the actual
+      rowtype of the supplied tuple value.  If it didn't, that would usually
+      result in a crash, though disclosure of server memory contents seems
+      possible as well.
+      (CVE-2017-15098)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
+Author: Noah Misch <noah@leadboat.com>
+Branch: master [dfc015dcf] 2017-11-06 07:11:10 -0800
+Branch: REL_10_STABLE [6b0b983f7] 2017-11-06 07:11:13 -0800
+Branch: REL9_6_STABLE [b7d6f7507] 2017-11-06 07:11:13 -0800
+Branch: REL9_5_STABLE [ed546dd06] 2017-11-06 07:11:13 -0800
+Branch: REL9_4_STABLE [29d067051] 2017-11-06 07:11:13 -0800
+Branch: REL9_3_STABLE [b50029768] 2017-11-06 07:11:13 -0800
+Branch: REL9_2_STABLE [eda780281] 2017-11-06 07:11:13 -0800
+-->
+     <para>
+      Fix sample server-start scripts to become <literal>$PGUSER</literal>
+      before opening <literal>$PGLOG</literal> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, the postmaster log file was opened while still running as
+      root.  The database owner could therefore mount an attack against
+      another system user by making <literal>$PGLOG</literal> be a symbolic
+      link to some other file, which would then become corrupted by appending
+      log messages.
+     </para>
+
+     <para>
+      By default, these scripts are not installed anywhere.  Users who have
+      made use of them will need to manually recopy them, or apply the same
+      changes to their modified versions.  If the
+      existing <literal>$PGLOG</literal> file is root-owned, it will need to
+      be removed or renamed out of the way before restarting the server with
+      the corrected script.
+      (CVE-2017-12172)
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
 Author: Alvaro Herrera <alvherre@alvh.no-ip.org>
 Branch: master [ec42a1dcb] 2017-11-03 17:23:13 +0100
 Branch: REL_10_STABLE [37a856567] 2017-11-03 17:23:13 +0100
@@ -595,6 +681,26 @@ Branch: REL9_3_STABLE [deb429b51] 2017-11-03 12:40:42 +0100
 
     <listitem>
 <!--
+Author: Noah Misch <noah@leadboat.com>
+Branch: master [c66b438db] 2017-11-05 18:51:08 -0800
+Branch: REL_10_STABLE [937f67800] 2017-11-05 18:51:15 -0800
+Branch: REL9_6_STABLE [971983f42] 2017-11-05 18:52:38 -0800
+Branch: REL9_5_STABLE [014c5cd87] 2017-11-05 18:54:52 -0800
+-->
+     <para>
+      Fix missing temp-install prerequisites
+      for <literal>check</literal>-like Make targets (Noah Misch)
+     </para>
+
+     <para>
+      Some non-default test procedures that are meant to work
+      like <literal>make check</literal> failed to ensure that the temporary
+      installation was up to date.
+     </para>
+    </listitem>
+
+    <listitem>
+<!--
 Author: Tom Lane <tgl@sss.pgh.pa.us>
 Branch: master [8df4ce1ea] 2017-10-23 18:15:36 -0400
 Branch: REL_10_STABLE [0cde56247] 2017-10-23 18:15:42 -0400
diff --git a/doc/src/sgml/release-9.2.sgml b/doc/src/sgml/release-9.2.sgml
index 2f5f054c4e9..e2da35bcd44 100644
--- a/doc/src/sgml/release-9.2.sgml
+++ b/doc/src/sgml/release-9.2.sgml
@@ -42,6 +42,31 @@
 
     <listitem>
      <para>
+      Fix sample server-start scripts to become <literal>$PGUSER</literal>
+      before opening <literal>$PGLOG</literal> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, the postmaster log file was opened while still running as
+      root.  The database owner could therefore mount an attack against
+      another system user by making <literal>$PGLOG</literal> be a symbolic
+      link to some other file, which would then become corrupted by appending
+      log messages.
+     </para>
+
+     <para>
+      By default, these scripts are not installed anywhere.  Users who have
+      made use of them will need to manually recopy them, or apply the same
+      changes to their modified versions.  If the
+      existing <literal>$PGLOG</literal> file is root-owned, it will need to
+      be removed or renamed out of the way before restarting the server with
+      the corrected script.
+      (CVE-2017-12172)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Properly reject attempts to convert infinite float values to
       type <type>numeric</type> (Tom Lane, KaiGai Kohei)
      </para>
diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml
index 82f705522e6..ed0e292d9a8 100644
--- a/doc/src/sgml/release-9.3.sgml
+++ b/doc/src/sgml/release-9.3.sgml
@@ -36,6 +36,48 @@
 
     <listitem>
      <para>
+      Fix crash due to rowtype mismatch
+      in <function>json{b}_populate_recordset()</function>
+      (Michael Paquier, Tom Lane)
+     </para>
+
+     <para>
+      These functions used the result rowtype specified in the <literal>FROM
+      ... AS</literal> clause without checking that it matched the actual
+      rowtype of the supplied tuple value.  If it didn't, that would usually
+      result in a crash, though disclosure of server memory contents seems
+      possible as well.
+      (CVE-2017-15098)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix sample server-start scripts to become <literal>$PGUSER</literal>
+      before opening <literal>$PGLOG</literal> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, the postmaster log file was opened while still running as
+      root.  The database owner could therefore mount an attack against
+      another system user by making <literal>$PGLOG</literal> be a symbolic
+      link to some other file, which would then become corrupted by appending
+      log messages.
+     </para>
+
+     <para>
+      By default, these scripts are not installed anywhere.  Users who have
+      made use of them will need to manually recopy them, or apply the same
+      changes to their modified versions.  If the
+      existing <literal>$PGLOG</literal> file is root-owned, it will need to
+      be removed or renamed out of the way before restarting the server with
+      the corrected script.
+      (CVE-2017-12172)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Properly reject attempts to convert infinite float values to
       type <type>numeric</type> (Tom Lane, KaiGai Kohei)
      </para>
diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml
index ab47dc50ddd..d8b6b1777c7 100644
--- a/doc/src/sgml/release-9.4.sgml
+++ b/doc/src/sgml/release-9.4.sgml
@@ -35,6 +35,48 @@
 
     <listitem>
      <para>
+      Fix crash due to rowtype mismatch
+      in <function>json{b}_populate_recordset()</function>
+      (Michael Paquier, Tom Lane)
+     </para>
+
+     <para>
+      These functions used the result rowtype specified in the <literal>FROM
+      ... AS</literal> clause without checking that it matched the actual
+      rowtype of the supplied tuple value.  If it didn't, that would usually
+      result in a crash, though disclosure of server memory contents seems
+      possible as well.
+      (CVE-2017-15098)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix sample server-start scripts to become <literal>$PGUSER</literal>
+      before opening <literal>$PGLOG</literal> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, the postmaster log file was opened while still running as
+      root.  The database owner could therefore mount an attack against
+      another system user by making <literal>$PGLOG</literal> be a symbolic
+      link to some other file, which would then become corrupted by appending
+      log messages.
+     </para>
+
+     <para>
+      By default, these scripts are not installed anywhere.  Users who have
+      made use of them will need to manually recopy them, or apply the same
+      changes to their modified versions.  If the
+      existing <literal>$PGLOG</literal> file is root-owned, it will need to
+      be removed or renamed out of the way before restarting the server with
+      the corrected script.
+      (CVE-2017-12172)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Fix crash when logical decoding is invoked from a SPI-using function,
       in particular any function written in a PL language
       (Tom Lane)
diff --git a/doc/src/sgml/release-9.5.sgml b/doc/src/sgml/release-9.5.sgml
index 3ab5df7a5f4..a1e68ba283a 100644
--- a/doc/src/sgml/release-9.5.sgml
+++ b/doc/src/sgml/release-9.5.sgml
@@ -23,7 +23,7 @@
    </para>
 
    <para>
-    However, if you use BRIN indexes, see the first changelog entry below.
+    However, if you use BRIN indexes, see the fourth changelog entry below.
    </para>
 
    <para>
@@ -39,6 +39,66 @@
 
     <listitem>
      <para>
+      Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+      table permissions and RLS policies in all cases (Dean Rasheed)
+     </para>
+
+     <para>
+      The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+      requires <literal>SELECT</literal> permission on the columns of the
+      arbiter index, but it failed to check for that in the case of an
+      arbiter specified by constraint name.
+      In addition, for a table with row level security enabled, it failed to
+      check updated rows against the table's <literal>SELECT</literal>
+      policies (regardless of how the arbiter index was specified).
+      (CVE-2017-15099)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix crash due to rowtype mismatch
+      in <function>json{b}_populate_recordset()</function>
+      (Michael Paquier, Tom Lane)
+     </para>
+
+     <para>
+      These functions used the result rowtype specified in the <literal>FROM
+      ... AS</literal> clause without checking that it matched the actual
+      rowtype of the supplied tuple value.  If it didn't, that would usually
+      result in a crash, though disclosure of server memory contents seems
+      possible as well.
+      (CVE-2017-15098)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix sample server-start scripts to become <literal>$PGUSER</literal>
+      before opening <literal>$PGLOG</literal> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, the postmaster log file was opened while still running as
+      root.  The database owner could therefore mount an attack against
+      another system user by making <literal>$PGLOG</literal> be a symbolic
+      link to some other file, which would then become corrupted by appending
+      log messages.
+     </para>
+
+     <para>
+      By default, these scripts are not installed anywhere.  Users who have
+      made use of them will need to manually recopy them, or apply the same
+      changes to their modified versions.  If the
+      existing <literal>$PGLOG</literal> file is root-owned, it will need to
+      be removed or renamed out of the way before restarting the server with
+      the corrected script.
+      (CVE-2017-12172)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Fix BRIN index summarization to handle concurrent table extension
       correctly (&Aacute;lvaro Herrera)
      </para>
@@ -261,6 +321,19 @@
 
     <listitem>
      <para>
+      Fix missing temp-install prerequisites
+      for <literal>check</literal>-like Make targets (Noah Misch)
+     </para>
+
+     <para>
+      Some non-default test procedures that are meant to work
+      like <literal>make check</literal> failed to ensure that the temporary
+      installation was up to date.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Sync our copy of the timezone library with IANA release tzcode2017c
       (Tom Lane)
      </para>
diff --git a/doc/src/sgml/release-9.6.sgml b/doc/src/sgml/release-9.6.sgml
index 5e358ef4b4d..65df3113c2c 100644
--- a/doc/src/sgml/release-9.6.sgml
+++ b/doc/src/sgml/release-9.6.sgml
@@ -23,7 +23,7 @@
    </para>
 
    <para>
-    However, if you use BRIN indexes, see the first changelog entry below.
+    However, if you use BRIN indexes, see the fourth changelog entry below.
    </para>
 
    <para>
@@ -39,6 +39,66 @@
 
     <listitem>
      <para>
+      Ensure that <literal>INSERT ... ON CONFLICT DO UPDATE</literal> checks
+      table permissions and RLS policies in all cases (Dean Rasheed)
+     </para>
+
+     <para>
+      The update path of <literal>INSERT ... ON CONFLICT DO UPDATE</literal>
+      requires <literal>SELECT</literal> permission on the columns of the
+      arbiter index, but it failed to check for that in the case of an
+      arbiter specified by constraint name.
+      In addition, for a table with row level security enabled, it failed to
+      check updated rows against the table's <literal>SELECT</literal>
+      policies (regardless of how the arbiter index was specified).
+      (CVE-2017-15099)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix crash due to rowtype mismatch
+      in <function>json{b}_populate_recordset()</function>
+      (Michael Paquier, Tom Lane)
+     </para>
+
+     <para>
+      These functions used the result rowtype specified in the <literal>FROM
+      ... AS</literal> clause without checking that it matched the actual
+      rowtype of the supplied tuple value.  If it didn't, that would usually
+      result in a crash, though disclosure of server memory contents seems
+      possible as well.
+      (CVE-2017-15098)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix sample server-start scripts to become <literal>$PGUSER</literal>
+      before opening <literal>$PGLOG</literal> (Noah Misch)
+     </para>
+
+     <para>
+      Previously, the postmaster log file was opened while still running as
+      root.  The database owner could therefore mount an attack against
+      another system user by making <literal>$PGLOG</literal> be a symbolic
+      link to some other file, which would then become corrupted by appending
+      log messages.
+     </para>
+
+     <para>
+      By default, these scripts are not installed anywhere.  Users who have
+      made use of them will need to manually recopy them, or apply the same
+      changes to their modified versions.  If the
+      existing <literal>$PGLOG</literal> file is root-owned, it will need to
+      be removed or renamed out of the way before restarting the server with
+      the corrected script.
+      (CVE-2017-12172)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
       Fix BRIN index summarization to handle concurrent table extension
       correctly (&Aacute;lvaro Herrera)
      </para>
@@ -460,6 +520,19 @@ Branch: REL9_6_STABLE [407e66078] 2017-09-14 01:17:15 +0200
     </listitem>
 
     <listitem>
+     <para>
+      Fix missing temp-install prerequisites
+      for <literal>check</literal>-like Make targets (Noah Misch)
+     </para>
+
+     <para>
+      Some non-default test procedures that are meant to work
+      like <literal>make check</literal> failed to ensure that the temporary
+      installation was up to date.
+     </para>
+    </listitem>
+
+    <listitem>
 <!--
 Author: Tom Lane <tgl@sss.pgh.pa.us>
 Branch: master [47f849a3c] 2017-09-22 00:04:29 -0400